How To Protect your Linux Server Against the GHOST Vulnerability

On January 27, 2015, a GNU C Library (glibc) vulnerability, referred to as the GHOST vulnerability, was announced to the general public. In summary, the vulnerability allows remote attackers to take complete control of a system by exploiting a buffer overflow bug in glibc’s GetHOST functions (hence the name). Like Shellshock and Heartbleed, this vulnerability is serious and affects many servers.

The GHOST vulnerability can be exploited on Linux systems that use versions of the GNU C Library prior to glibc-2.18. That is, systems that use an unpatched version of glibc from versions 2.2 to 2.17 are at risk. Many Linux distributions including, but not limited to, the following are potentially vulnerable to GHOST and should be patched:

CentOS 6 & 7

Debian 7

Red Hat Enterprise Linux 6 & 7

Ubuntu 10.04 & 12.04

End of Life Linux Distributions

It is highly recommended that you update and reboot all of your affected Linux servers. We will show you how to test if your systems are vulnerable and, if they are, how to update glibc to fix the vulnerability.

Check System Vulnerability

The easiest way to test if your servers are vulnerable to GHOST is to check the version of glibc that is in use. We will cover how to do this in Ubuntu, Debian, CentOS, and RHEL.

Note that binaries that are statically linked to the vulnerable glibc must be recompiled to be made safe—this test does not cover these cases, only the system’s GNU C Library.

Ubuntu & Debian

Check the version glibc by looking up the version of ldd (which uses glibc) like this:

ldd --version

The first line of the output will contain the version of eglibc, the variant of glibc that Ubuntu and Debian use. It might look like this, for example (the version is highlighted in this example):

ldd (Ubuntu EGLIBC 2.15-0ubuntu10.7) 2.15
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

If the version of eglibc matches, or is more recent than, the ones listed here, you are safe from the GHOST vulnerability:

Ubuntu 12.04 LTS: 2.15-0ubuntu10.10

Ubuntu 10.04 LTS: 2.11.1-0ubuntu7.20

Debian 7 LTS: 2.13-38+deb7u7

If the version of eglibc is older than the ones listed here, your system is vulnerable to GHOST and should be updated.

CentOS & RHEL

Check the version glibc with rpm:

rpm -q glibc

The output should look like this, with the package name followed by version information:

glibc-2.12-1.132.el6_5.4.x86_64

If the version of glibc matches, or is more recent than, the ones listed here, you are safe from the GHOST vulnerability:

CentOS 6: glibc-2.12-1.149.el6_6.5

CentOS 7: glibc-2.17-55.el7_0.5

RHEL 5: glibc-2.5-123.el5_11.1

RHEL 6: glibc-2.12-1.149.el6_6.5

RHEL 7: glibc-2.17-55.el7_0.5

If the version of glibc is older than the ones listed here, your system is vulnerable to GHOST and should be updated.

Fix Vulnerability

The easiest way to fix the GHOST vulnerability is to use your default package manager to update the version of glibc. The following subsections cover updating glibc on various Linux distributions, including Ubuntu, Debian, CentOS, and Red Hat.

APT-GET: Ubuntu / Debian

For currently supported versions of Ubuntu or Debian, update all of your packages to the latest version available via apt-get dist-upgrade:

sudo apt-get update && sudo apt-get dist-upgrade

Then respond to the confirmation prompt with y.

When the update is complete, reboot the server with this command:

sudo reboot

A reboot is necessary since the GNU C Library is used by many applications that must be restarted to use the updated library.

Now verify that your system is no longer vulnerable by following the instructions in the previous section (Check System Vulnerability).

YUM: CentOS / RHEL

Update glibc to the latest version available via yum:

sudo yum update glibc

Then respond to the confirmation prompt with y.

When the update is complete, reboot the server with this command:

sudo reboot

A reboot is necessary since the GNU C Library is used by many applications that must be restarted to use the updated library.

Now verify that your system is no longer vulnerable by following the instructions in the previous section (Check System Vulnerability).